Fixed a lot of traefik issues for docker swarm deployment

deploy.py

@@ -1,4 +1,5 @@
-from pyinfra import host
+from tasks.ssh import setup_ssh
+
 from pyinfra.operations import apt
 from pyinfra_docker import deploy_docker
 
@@ -9,7 +10,7 @@ apt.packages(
 )
 
 apt.packages(
-    name="Install usefull packages",
+    name="Install useful packages",
     packages=["htop", "curl", "ufw"],
 )
 
@@ -24,4 +25,6 @@ apt.packages(
         ],
 )
 
+setup_ssh()
+
 deploy_docker()

inventory.py

@@ -1,6 +1,4 @@
-# nextcloud = [("172.104.145.146", {"ssh_user": "root"})]
-
-joplin = [
+joplin_old = [
     (
         "joplin.togetherdays.cz", {
             "ssh_user": "root",
@@ -8,3 +6,12 @@ joplin = [
         }
     )
 ]
+
+joplin_new = [
+    (
+        "test.joplin.togetherdays.cz", {
+            "ssh_user": "root",
+            "web_server": True
+        }
+    )
+]

pubkeys/desktop_win.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCphDfhKwJcml31Iwig9PLF0lwUdmEj+C7OgHgh+R8iBhERPs6bvDgtbLcOr0HJ9FbUUgAug1r8pHRiKgF+QWEzUwnf7smF0vg1SB/m9XQfPnwXT3xXGXPPckxAPDhxK40SZyrTv7E99TCRLXK8YvdBDBwXfSpKvX6ReRfkN9FEmq7neRrrNMRxaITHeq5yzDPAisP9lbaikERAVgy0EH5M6UYpCfHITwggfnivzkazYsR+j8w7xNOe0uSUj8mnRA1VRs7Mx1UUdNK7karonxOIhBI58EcoNCyDlK3g5nJ2JgbVwkuG46a9TGx8Wt4MighvI9tq3PgAunxxud2oAGx5qubuT/t53jRoCf45GC/qi7PEQ3gMkEERpST4OyuwAgLgii4vX7auiJWOzMwgyNg387QUGpSZRghovB+CD0WUB8tHlmx5ZPmwS2Enj2GLavSpU4FYYtC8ocn0yI5JESKGpD5U/f3HytAdkI8naFSm/75KcnIiaMbHyc0PD6iuztE= kropi@KropiMasinka

pubkeys/desktop_wsl.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPexUMyL1yGJx0x3lE4QwTLVAsI/0VobbHO9EcP4BsfJ krop@KropiMasinka

pubkeys/laptop_olc.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFcnX9CcpqCdfC4apgd6ccyTSyhPt3mIiSAXD00czPtt jakub.kropacek@olc.cz

pubkeys/laptop_personal.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOUnlAjPnMwJYgZb7YuholdTxifOEFnAyXVqI+xFlHw6 krop@lenar

tasks/ssh.py

@@ -0,0 +1,41 @@
+from pathlib import Path
+
+from pyinfra.api import deploy
+from pyinfra.operations import files, systemd
+
+BASE_DIR = Path(__file__).parent.parent
+
+def deploy_ssh_keys():
+    files.file(
+        name="Create authorized_keys file",
+        path="/root/.ssh/authorized_keys"
+    )
+
+
+    for key_path in BASE_DIR.glob("pubkeys/*.pub"):
+        with open(key_path, "r") as f:
+            key = f.read().strip()
+        files.line(
+            name=f"Adding key {key_path.name} to /root/.ssh/authorized_keys",
+            path="/root/.ssh/authorized_keys",
+            line=key
+        )
+
+def reconfigure_ssh():
+    config_changed = files.line(
+        name="Disable password login",
+        path="/etc/ssh/sshd_config",
+        line="PasswordAuthentication .+",
+        replace="PasswordAuthentication no"
+    ).changed
+
+    systemd.service(
+        name="Restart SSHD service",
+        service="ssh",
+        restarted=config_changed
+    )
+
+@deploy
+def setup_ssh():
+    deploy_ssh_keys()
+    reconfigure_ssh()

templates/joplin/.env.example

@@ -1,4 +1,3 @@
-EMAIL=
 HOST=
 POSTGRES_PASSWORD=
 POSTGRES_DATABASE=

templates/joplin/docker-compose.yml

@@ -1,55 +1,33 @@
 networks:
   traefik-net:
     name: traefik-net
+    external: true
 
 volumes:
-  traefik-certs:
-    name: traefik-certs
+  joplin-pg-data:
+    name: joplin-pg-data
 
 services:
-  traefik:
-    image: traefik:v2.10
-    command:
-      - --providers.docker
-      - --providers.docker.network=traefik-net
-      - --providers.docker.exposedbydefault=false
-      - --entrypoints.web.address=:80
-      - --entrypoints.web.http.redirections.entryPoint.to=websecure
-      - --entrypoints.web.http.redirections.entryPoint.scheme=https
-      - --entrypoints.web.http.redirections.entrypoint.permanent=true
-      - --entrypoints.websecure.address=:443
-      - --certificatesresolvers.le.acme.tlschallenge=true
-      - --certificatesresolvers.le.acme.email=${EMAIL}
-      - --certificatesresolvers.le.acme.storage=/letsencrypt/acme.json
-    ports:
-      - 80:80
-      - 443:443
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-      - traefik-certs:/letsencrypt
   db:
     image: postgres:15
     volumes:
-      - ./data/postgres:/var/lib/postgresql/data
+      - joplin-pg-data:/var/lib/postgresql/data
     restart: unless-stopped
+    networks:
+      - default
     environment:
       - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
       - POSTGRES_USER=${POSTGRES_USER}
       - POSTGRES_DB=${POSTGRES_DATABASE}
+
   joplin:
     image: joplin/server:latest
     depends_on:
       - db
     restart: unless-stopped
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.joplin.rule=Host(`${HOST}`)
-      - traefik.http.routers.joplin.entrypoints=websecure
-      - traefik.http.routers.joplin.tls.certresolver=le
-      - traefik.http.services.joplin.loadbalancer.server.port=22300
     environment:
       - APP_PORT=22300
-      - APP_BASE_URL=${HOST}
+      - APP_BASE_URL=https://${HOST}
       - DB_CLIENT=pg
       - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
       - POSTGRES_DATABASE=${POSTGRES_DATABASE}
@@ -64,3 +42,14 @@ services:
       - MAILER_AUTH_PASSWORD=${MAILER_AUTH_PASSWORD}
       - MAILER_NOREPLY_NAME=${MAILER_NOREPLY_NAME}
       - MAILER_NOREPLY_EMAIL=${MAILER_NOREPLY_EMAIL}
+    networks:
+      - traefik-net
+      - default
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.docker.network=traefik-net
+        - traefik.http.routers.joplin.rule=Host(`${HOST}`)
+        - traefik.http.routers.joplin.entrypoints=websecure
+        - traefik.http.routers.joplin.tls.certresolver=le
+        - traefik.http.services.joplin.loadbalancer.server.port=22300

templates/traefik/.env.example

@@ -0,0 +1 @@
+EMAIL=

templates/traefik/docker-compose.yml

@@ -0,0 +1,48 @@
+networks:
+  traefik-net:
+    name: traefik-net
+
+volumes:
+  traefik-certs:
+    name: traefik-certs
+
+services:
+  traefik:
+    image: traefik:v2.10
+    command:
+      - --api.dashboard=true
+      - --providers.docker
+      - --providers.docker.network=traefik-net
+      - --providers.docker.exposedbydefault=false
+      - --providers.docker.swarmMode=true
+      - --entrypoints.web.address=:80
+      - --entrypoints.web.http.redirections.entryPoint.to=websecure
+      - --entrypoints.web.http.redirections.entryPoint.scheme=https
+      - --entrypoints.web.http.redirections.entrypoint.permanent=true
+      - --entrypoints.websecure.address=:443
+      - --certificatesresolvers.le.acme.tlschallenge=true
+      - --certificatesresolvers.le.acme.email=${EMAIL}
+      - --certificatesresolvers.le.acme.storage=/letsencrypt/acme.json
+    ports:
+      - target: 80
+        published: 80
+        mode: host
+      - target: 443
+        published: 443
+        mode: host
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - traefik-certs:/letsencrypt
+    networks:
+      traefik-net:
+    deploy:
+      placement:
+        constraints:
+          - node.role == manager
+#      labels:
+#        - traefik.enable=true
+#        - traefik.http.routers.dashboard.rule = PathPrefix(`/traefik`)
+#        - traefik.http.routers.dashboard.service=api@internal
+#        - traefik.http.routers.dashboard.middlewares=auth
+#        - traefik.http.services.dashboard.loadbalancer.server.port=8080
+#        - traefik.http.middlewares.auth.basicauth.users=krop:$$apr1$$YAMELker$$W7BRLr8GbsqVdaVjp9qOI/